Monday, April 16, 2012

China: Our Incompetent Master Adversary?

According to an article in today's Guardian, State Department and Pentagon officials with their Chinese counterparts have engaged in at least two cyber war games in 2011 and have another planned for next month. These war games are coordinated by two think tanks: Center for Strategic and International Studies for the U.S. and the China Institute of Contemporary International Relations. The goal is to try to manage escalating hostilities between the two nations over China's perceived massive cyber espionage campaign against U.S. companies.

It's distressing to see that the tensions have risen to this point because its based on a seriously flawed evaluation of the facts by well-known companies plus former and present U.S. government officials. For example:

U.S. information security companies like RSA, McAfee, Mandiant, and others routinely issue reports blaming China and ONLY China for intrusions that they've encountered. It's incredible to me that in spite of the 30+ countries actively engaging in acts of cyber espionage, these security giants have only caught China in the act.

Secretary of State Hilary Clinton has been quick to blame China for cyber attacks that targeted Google but for no other reason then because Google said so. And the Secretary has never once warned other countries to cease their cyber attacks against the U.S.

The U.S. China Economic and Security Review Commission routinely puts out alarmist reports about China's military cyber buildup while deliberately refusing to hear testimony by experts who have contrary views to the commission's anti-China agenda.

Richard Clarke's sinophobic, alarmist op-eds routinely get published in the Wall Street Journal and elsewhere even though Mr. Clarke has no standing as a cyber security expert.

No wonder that the Chinese government's irritation with the U.S. has risen to the point where we need CSIS and its Chinese counterpart to conduct a mediation. Beijing is getting tired of being blamed for every attack against every company everywhere in the world, and they're right to be mad. As I've said many times before, it's not that China doesn't do it; they absolutely do, but so do many other countries and just as frequently yet we almost never hear about a major breach being blamed on any country other than China. Either China is the greatest and dumbest adversary that we've ever had, or the real dummies are those in the InfoSec industry who can't be bothered to question the obvious when doing incident response, or who choose to cater to the rising tide of Sinophobia in the U.S. in order to boost their sales; or to politicians and journalists who parrot back the faulty claims of those same companies thereby perpetuating a bad cycle that has resulted in real-world tensions that could have been handled in a more constructive way all along.

While the marketing of anti-China sentiment by some in the InfoSec industry is clearly one part of this disaster in foreign relations, Media deserves its share for opting to print stories that cater to China FUD because it results in higher readership which means more advertising revenue. Since the American public is generally naive about cyber operations by nation states, they believe what they hear about China in the media and cast their votes for the politician who will save them from the menacing red dragon who's sopping up their brain waves and living inside their electric wires. Politicians being what they are cater to that fear and make pronouncements and threats accordingly in order to win votes.

The solution to this problem is simple. As a nation, we need to ask more questions. Accept nothing at face value no matter which "authority" tells it to you, including me. Good intelligence analysts uses negative analysis to test their findings before sending it on to their customers. A little more negative analysis by all parties involved may be what's needed to reduce U.S.-China tensions and improve U.S. security. And it doesn't cost any money to do it.